Page 78 - DCAP307_PLANNING_AND_MANAGING_IT_INFRASTRUCTURE
P. 78
Planning and Managing IT Infrastructure
Notes Are the control goals clearly stated?
Are the controls suitably designed to achieve the service organisation’s stated control
objectives?
Are the controls actually being used?
Are the controls operating effectively (Type 2 SAS 70 audit)?
Firms considering outsourcing need to spend considerable time and effort to thoroughly review
the outsourcing firm’s SAS 70 audit and ensure that they understand the firm’s control goals and
implementations. They must be comfortable that the internal controls implemented by their
potential partner are adequate. Failure to share the results of an SAS 70 audit should be a
warning signal in dealing with an outsourcing vendor. SAS 70 can help evaluate a firm’s internal
controls, but it does not fully address information security control. ISO (International Standards
Organisation) 17799 identifies “best practice” information security controls and their objectives.
An organisation considering outsourcing can use this standard to evaluate the service provider’s
security policy and measures more fully.
In summary, organisations should choose outsourcing firms based on several factors, as listed
in Box 4.1.
Box 4.1: Factors for Evaluating Outsourcing Partners
Factors
Poven experience in business outsourcing
Reputation
Knowledge of the industry
Expertise in the organization’s processes
Price
Freedom from lowsuits and customer complaints
Final viability
Trustworthiness
Proven high level of innovative and continous improvement
Proven ability to deliver services effectively to the contries in a compan’s base operations
Use of best-in-class procsses and technology
Through reviw of the outsourcing firm’s SAA 70 audit reveals no problem
Review of the outsourcing firm’s security versus ISO 17799 best practices reveals no
major outages.
Source: http://ebooks.narotama.ac.id/files/Information%20Technology%20for%20Managers/
Chapter%204%20Business%20Process%20And%20IT%20Outsourcing.pdf
4.5.4 Evaluating Service Provider Locations
Any outsourcing service provider, no matter what its base of operations, can be affected by
economic turmoil, natural disasters, and political disturbances. The potential for these risks is
greater in some places than others. Be sure that you understand the base of operations that will
service your needs. Ideally, your outsourcing partner can provide services from several geographic
locations if necessary. Your company should investigate the capability for avoiding business
interruption whether the outsourcing firm is “on-shore” (in your own country) or off-shore.
72 LOVELY PROFESSIONAL UNIVERSITY
